AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package exposes a database connector class with an extra method that fetches a remote payload and runs it in a detached Node process. This creates user-triggered remote code execution outside the package's stated database connector purpose.
Decision evidence
public snapshot- index.js imports axios and child_process.spawn at package entrypoint.
- index.js queryDBConnect decodes base64 URL and GETs remote data.session.
- index.js queryDBConnect spawns detached `node` with stdio pipe and writes remote `session` into stdin.
- Remote code execution helper is unrelated to normal MySQL connector behavior.
- package.json declares main index.js and no lifecycle hooks.
- No install-time lifecycle script in package.json.
- Malicious behavior is method-triggered, not automatic on import.
- Other connector methods perform expected mysql pool/query/transaction operations.
Source & flagged code
4 flagged · loading sourceSource spawns a local helper that fetches and dynamically executes remote code.
index.jsView on unpkg · L2A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg · L2Source decodes a Base64-obscured HTTP endpoint at runtime.
index.jsView on unpkg · L2